3 Big Challenges Facing Vendor Risk Management—and How to Respond
What if you never had to fill out another security assessment questionnaire ever again?
According to our annual State of Vendor Security report, we’re not the only ones asking that question. In our latest survey of more than 500 cyber and infosec leaders, we gained a lot of insight into some of the key pain points in the assessment process:
- Sheer volume of questionnaires
- Constant back-and-forth over email with customers and vendors
- Coordination with sales teams
These unfortunate realities can manifest in downstream problems for your business, but their immediate impact is felt in time (more on that in a minute). It seems clear that many are working through lunches, evenings, and weekends trying to keep up with the demand.
Last week, we took a closer look at some of the implications of our survey data to identify key themes. This week, we’re going to dive into some of these pain points and other challenges our survey uncovered, and—most importantly—identify possible solutions to combat them.
Challenge: Time in the Assessment Process (or: What You Can’t Do Instead)
As Hootie and the Blowfish once so poignantly lamented, “Tiiiime, why you punish me?” It’s very possible (even likely) that they were singing about the vendor security assessment process.
Whether it’s time spent filling out questionnaires, waiting for responses, emailing back and forth to iron out details of assessments, fending off vigilant sales teams, or managing approvals, there is no escaping the serious time toll for infosec teams. Our survey data validate the pain:
- 50% of the companies survey spend more than 20 hours each week assessing vendors; an additional third spend more than 30 hours
- 54% of companies respond to at least 11 security questionnaires each month; 20% respond to more than 26 per month, while 9% respond to a whopping 50+
- 54% also report that the average time to complete a questionnaire is 1-4 hours
We’ll spare you the grisly details of how long it takes the remaining 46% (check out the full report here), but the trend is clear: time that might be spent on higher-leverage security activity (or even simply enjoying a 20 minute lunch break) is spent managing the assessment process.
Solution: Revisit Your Assessment Process to Get Proactive
The clearest solution is to get rid of the security questionnaire entirely. That’s Whistic’s goal, and we’re really excited about what we’ve accomplished. But along the way, it’s important to focus on your existing processes to ensure they support proactive engagement.
Here are some of the common elements of proactive vendor assessment processes:
Streamlined vendor intake
Constantly having to find the information needed to even initiate an assessment can be a drain on time and resources. Centralize all necessary information for determining inherent risk (or find the right tool to help you) so you can more quickly assign inherent risk and proceed with the right plan for that designation.
Clear, consistent assessment methodology
Once you’ve assigned inherent risk during intake, you can better understand what’s needed in terms of the frequency and thoroughness of your assessment. This will help you triage high-risk, time-intensive vendors and low-risk, low-touch vendors.
Maximized for automation
The assessment process should be as hands-off as possible in order to move more quickly. Automation can help eliminate lots of manual work. One example (of many) is to automate assessment requests so they are triggered by certain risk thresholds as defined by your methodology. This helps you save the time you’d spend manually managing this process.
Seek out other proactive vendors
The most effective way to conduct more seamless vendor assessments is to seek out partners that are transparent in their security posture and share it publicly. There are many ways to do this (including through the Whistic Trust Catalog); it not only establishes a firm foundation of trust, but it eliminates so much of the back and forth of the existing process.
At Whistic, we call this mutually proactive approach “Zero-Touch” assessment. Our platform data shows that Zero-Touch assessments reduce the average time it takes to receive a completed questionnaire from 12.7 days to two minutes. In fact, 99% of our customers that utilize Zero-Touch see a dramatically reduced turnaround time.
Challenge: Stretching Sales Resources (or: More Emails and Meetings for InfoSec)
In our 2023 survey, 64% of respondents report that sales is either “Always” or “Almost Always” involved in responding to at least a portion of all questionnaires. In business terms, time that could be spent on sales activity is diverted to the assessment process. Fixing this problem can help CISOs make a stronger business case for more resources.
But there’s also a practical, everyday impact. Because your sales team doesn’t have expertise in your security posture, they rely even more heavily on infosec. That means more email communication, more status updates, and more meetings.
Solution: Help Sales Help Themselves
Okay, so that headline is a little cheeky. But the truth is, a proactive security assessment process that includes a link to your centralized security posture gives your sales team the power to share with customers and prospects at the push of a button.
With Whistic Profile, your sales team is empowered to share everything you need for a security assessment from a single link. This is possible because Whistic integrates with Salesforce and Slack; not only does this make sharing easier, it also affords your sales team greater visibility into who is requesting, viewing, or sharing your Profile.
That also means sales can monitor and keep the process moving—without the need for additional interventions from infosec. Even better? Reporting through the Salesforce and Slack integrations allows infosec to better measure the business impact of their streamlined assessment process.
Challenge: Moving Away from Legacy Processes (or: Keep the Momentum Rolling)
First a bit of good news: 46% of respondents in our survey report that the vendor assessment process is better than it’s historically been. Of course, more than half of companies surveyed also say their process could use improvement, but progress is progress.
One of the hurdles standing in the way of even greater momentum is a lack of acceptable standards of trust and transparency inherent in older, legacy processes. The truth is, the very point of vendor security assessments is to create a threshold of trust and mutual accountability for the safety of critical data. Building better standards, better processes, and better relationships is essential for paving a smoother road to trust.
Solution: The Security First Initiative
This is perhaps the greatest of these challenges, but at Whistic, we’ve never shied away from a challenge. That’s why we helped found the Security First Initiative in 2022 alongside some of the world’s leading tech companies, including Okta, Airbnb, Atlassian, and Snap. This coalition has invited companies everywhere to:
- Build and maintain security profiles that contain relevant standard questionnaires, certifications, and audits
- Share that information publicly and proactively with their customers
- Create an expectation that every company they work with will adopt the same proactive, transparent approach
We believe that transparency and collaboration leads to a vendor security ecosystem that is better protected against and prepared to respond to future third-party data breaches. It also doesn’t hurt that proactive transparency makes life easier for customers, infosec, and sales.
Read the Full 2023 State of Vendor Security Report
We’ve only just brushed the tip of the iceberg when it comes to the stats, themes, and findings from our full 2023 report. It’s stuffed with insights from peers, opportunities for benchmarking, and tips and tricks for utilizing the data on your vendor risk management team. Make sure you download your free copy today.
If you’d like to learn more about how Whistic can help you implement some of the solutions we’ve mentioned here, please reach out to schedule a demo. It’s a stress-free way to get proactive about your vendor assessment process.